Chat now with support
Chat with Support

Safeguard for Privileged Passwords On Demand Hosted - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Activity Center Search box Privileged access requests Toolbox Accounts Account Groups Assets
General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Asset Groups Discovery Entitlements Linked Accounts Partitions Profiles Settings
Access Request settings Appliance settings Asset Management settings Tags Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings Security Policy Settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Adding a directory user group

An Asset Administrator (or delegate) must:

  1. Add a directory asset.
  2. Add the domain as an identity provider:

    • web client: Navigate to Appliance Management | Safeguard Access | Identity and Authentication.
    • desktop client: Navigate to Administrative Tools | Settings | External Integration | Identity and Authentication.

    For more information, see Identity and Authentication.

Next, the Authorizer Administrator or the User Administrator can add directory user groups.

The Security Policy Administrator, Authorizer Administrator, and User Administrator can add local user groups. For more information, see Adding a user group.

Import consideration

All users who are part of a directory import user group must have complete and valid attributes. If the attributes for a user are not complete and valid, the user is not imported and the import continues. For example, if you set the directory user group authentication properties to require secondary authentication and use the Starling 2FA provider, each user's email address and mobile phone number attributes must have values to be included during the import.

Port

The standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works.

Time

Because Microsoft Active Directory does not have a Time Zone attribute, when you add a directory group, the default time zone is set for all imported accounts to (UTC) Coordinated Universal Time. To reset the time zone, open each imported account in Users and modify the Time Zone on the Location tab.

Adding users to a user group

It is the responsibility of the Security Policy Administrator to associate both local or directory users to user groups. User groups belong to the identity group.

You can not add or remove users to or from a directory user group. This has to be done in Active Directory on the Directory Group object represented.

Directory group membership is still maintained in the directory, such as Active Directory.

To add users to a user group

  1. Navigate to:

    • desktop client: Administrative Tools | User Groups.
    • web client: Security Policy Management | User Groups or User Management | User Groups.
  2. In User Groups, select a user group from the object list and open the Users tab.
  3. Click  Add User from the details toolbar.
  4. Select one or more users from the list in the Users dialog and click OK.

    IMPORTANT: You cannot add a group to a user group's membership; group membership cannot be nested.

In the desktop client, if you do not see the user you are looking for and you have Authorizer Administrator or User Administrator permissions, you can click Create New to create users. For more information, see Adding a user.

Adding a user group to an entitlement

When you add user groups to an entitlement, you are specifying which people can request access to the accounts and assets governed by an entitlement's policies. It is the responsibility of the Security Policy Administrator to add user groups to entitlements.

To add a user group to entitlements

  1. Navigate to:

    • desktop client: Administrative Tools | User Groups.
    • web client: Security Policy Management | User Groups or User Management | User Groups.
  2. In User Groups, select a user group from the object list and open the Entitlements tab.
  3. Click Add Entitlement from the details toolbar.
  4. Select one or more entitlements from the Entitlements dialog and click OK.

In the desktop client, if you do not see the entitlement you are looking for and you have Security Policy Administrator permissions, you can click Create New and add the entitlement. For more information about creating entitlements, see Adding an entitlement (desktop client).

Deleting a user group

Both Authorizer Administrator and User Administrator can delete local and directory user groups. A Security Policy Administrator can only delete local groups without permissions on them.

When you delete a user group, Safeguard for Privileged Passwords does not delete the users associated with it.

To delete a user group

  1. Navigate to:

    • desktop client: Administrative Tools | User Groups.
    • web client: Security Policy Management | User Groups or User Management | User Groups.
  2. In User Groups, select a user group from the list.
  3. Click Delete Selected/Delete.
  4. Confirm your request.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating